Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Popups..


  • This topic is locked This topic is locked
17 replies to this topic

#1 gossipgirl

gossipgirl

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 04 April 2007 - 07:35 PM

Hi. :flowers: I'm having popups and just various weird issues with my computer. Also, Adaware or Ewido (I dont remember which one) removed a file called opopnk.dll, and now whenever I turn on my computer, something comes up saying that there was an error loading it and that "the specified module could not be found." It did the same thing for a while with a file called qomnki.dll. :thumbsup: Oh and Mcafee wont open! Whenever I click on it, it just never opens. Once it said that I have to reinstall it or something. And just prior to this, a message came up from Mcafee (or it could have been a spyware program, not the real Mcafee,I'm not sure) saying that I have a virus to delete, and that I should run a scan. Anyways, heres my log.. any help would be much appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 8:26:19 PM, on 04/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.ca/0SEENCA/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {45783235-4020-41d7-b347-8d55da414660} - C:\WINDOWS\system32\LXBEng.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\tmp13.tmp.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\bak\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\opopnk.dll",setvm
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...72/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,15/mcgdmgr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CBE2EB50-9EAB-4076-9F69-17C7C8BC3FE8}: NameServer = 67.69.184.235 67.69.184.84
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs:
O20 - Winlogon Notify: LXBEng - C:\WINDOWS\SYSTEM32\LXBEng.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 gossipgirl

gossipgirl
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 04 April 2007 - 09:05 PM

I really need help, so if anyone has a chance to help please do! Now Mcafee's not even working. :thumbsup: Thank you soo much.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:04 AM

Posted 05 April 2007 - 12:45 AM

Hello,

Your mcAfee is not fully working because the infection you are dealing with is responsible for infecting legit files which startup with Windows. We'll fix it.

Please make sure you follow the next instructions in exactly the way I describe without missing any step and in the right order!!

* Please download VundoFix.exe to your C:\.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • In case it says that nothing was found, Right click the list box (white box) in the main VundoFix window.
  • Select “Add More Files?” from the menu that comes up. This will open a new VundoFix window.
  • In the Window: copy and paste next in the first field: C:\WINDOWS\SYSTEM32\LXBEng.dll
  • Click the “Add Files” button.
  • Click the "Close Window" button.
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

After reboot,

* Please download, install, and update AVG Anti-Spyware
  • Load AVG Anti-Spyware and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Do not run the scan yet.
* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present (some entries won't be present anymore):

O2 - BHO: (no name) - {45783235-4020-41d7-b347-8d55da414660} - C:\WINDOWS\system32\LXBEng.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\tmp13.tmp.dll (file missing)
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\opopnk.dll",setvm
O20 - AppInit_DLLs:
O20 - Winlogon Notify: LXBEng - C:\WINDOWS\SYSTEM32\LXBEng.dll


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Start AVG Antispyware.
  • Click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  • AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close AVG Anti-Spyware.
Reboot your computer.

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

* Please download the following file to your desktop:
http://noahdfear.geekstogo.com/FindAWF.exe
Run the file. This will open a log.

Post the next logs in your following reply:

* Log from AVG Antispyware
* Log from Combofix
* Log from FindAWF
* New HijackThislog

You may need more than one reply to post the logs.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 gossipgirl

gossipgirl
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 05 April 2007 - 10:20 PM

Thanks very much for your help! I just have a few questions.. I did the VundoFix thing, and it deleted two things, one which was the LXEBEng.dll. (Ill post the log after)
Then I downloaded AVG Anti-Spyware and updated it. This went fine as well.
But then I did the HijackThis scan, and first of all, none of them were present except for 020 - AppInit_DLLs: . When I checked this and click fix, the following message came up:

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: )
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.


What should I do about that? 020 - AppInit_DLLs now doesn't show up on HijackThis. And also, there was something very similar to:
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\opopnk.dll",setvm
Except instead of opopnk.dll, it said tutuuv.dll. Should I go back and fix this? I am now currently running the AVG scan.

Edited by gossipgirl, 06 April 2007 - 01:25 AM.


#5 gossipgirl

gossipgirl
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 05 April 2007 - 10:32 PM

Uh nevermind about posting the Vundofix log. I thought that you told me to, but that was another log.

#6 gossipgirl

gossipgirl
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 06 April 2007 - 12:43 AM

Ok heres the logs. :thumbsup: Btw, after the combofix one, when I first clicked on Internet Explorer, there was a message saying that IE isn't my default internet browser, and if I want to make it that. Uh.. thats never happened before. Hmm. Anyways:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:17:09 AM 06/04/2007

+ Scan result:



C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\Program Files\McAfee.com\Agent\McUpdate.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\Program Files\McAfee.com\Agent\mcagent.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\Program Files\McAfee.com\VSO\mcmnhdlr.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\Program Files\McAfee.com\VSO\mcvsshld.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\Program Files\MessengerPlus! 3\MsgPlus.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\Program Files\Real\RealPlayer\RealPlay.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP274\A0101273.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP279\A0102706.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP279\A0102707.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP279\A0102708.EXE -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP279\A0102724.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP280\A0103001.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP281\A0103240.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP281\A0103241.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP281\A0103243.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP281\A0103244.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP281\A0103245.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP281\A0103246.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP269\A0099501.dll -> Logger.BZub.ib : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA7P_0001_N91M0809NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP279\A0102755.dll -> Trojan.Agent.agv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP281\A0103151.dll -> Trojan.Agent.agv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP281\A0103242.dll -> Trojan.Agent.agv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP269\A0099500.vbs -> Trojan.Small : Cleaned with backup (quarantined).


::Report end

Edited by gossipgirl, 06 April 2007 - 12:48 AM.


#7 gossipgirl

gossipgirl
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 06 April 2007 - 12:48 AM

"Gwen" - 07-04-06 1:28:02 Service Pack 2
ComboFix 07-04-05 - Running from: "C:\Documents and Settings\Gwen\Desktop"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\tmp4.tmp.dll
C:\Program Files\install.log
C:\WINDOWS\system32\info.txt


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\cmdService
-------\Windows Overlay Components
-------\LEGACY_MCHINJDRV
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS


((((((((((((((((((((((((((((((( Files Created from 2007-03-06 to 2007-04-06 ))))))))))))))))))))))))))))))))))


2007-04-05 23:00 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-04-04 21:21 <DIR> d-------- C:\DOCUME~1\Gwen\APPLIC~1\McAfee
2007-03-14 17:58 <DIR> d-------- C:\WINDOWS\SYSTEM32\bak
2007-03-14 17:58 <DIR> d-------- C:\WINDOWS\bak
2007-03-12 17:56 <DIR> d-------- C:\DOCUME~1\Chris\APPLIC~1\Nikon


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-06 00:15 -------- d-------- C:\Program Files\lexmark x5100 series
2007-04-06 00:15 -------- d-------- C:\Program Files\itunes
2007-04-05 22:31 97280 --a------ C:\VundoFix.exe
2007-04-02 21:47 -------- d-------- C:\Program Files\quicktime
2007-03-14 17:58 -------- d-------- C:\Program Files\msn messenger
2007-03-14 17:58 -------- d-------- C:\Program Files\messengerplus! 3
2007-02-24 18:05 0 --a------ C:\WINDOWS\wgtdhfq.exe
2007-02-01 20:25 0 --a------ C:\WINDOWS\huya.exe
2007-02-01 20:25 0 --a------ C:\WINDOWS\cqot.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"BCMSMMSG"="BCMSMMSG.exe"
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"MCUpdateExe"="C:\\PROGRA~1\\McAfee.com\\Agent\\bak\\McUpdate.exe"
"mmtask"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"
"POINTER"="point32.exe"
"nwiz"="nwiz.exe /install"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"Motive SmartBridge"="C:\\PROGRA~1\\NETASS~1\\SMARTB~1\\MotiveSB.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Digital Imaging Monitor.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Digital Imaging Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe "
"item"="HP Digital Imaging Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Kodak EasyShare software.lnk"
"backup"="C:\\WINDOWS\\pss\\Kodak EasyShare software.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKE~1\\bin\\EASYSH~1.EXE -h"
"item"="Kodak EasyShare software"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd2"
"hkey"="HKLM"
"command"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hphupd08"
"hkey"="HKLM"
"command"="C:\\Program Files\\HP\\Digital Imaging\\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\\hphupd08.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_AVGASCLN


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\ISP signup reminder 1.job
C:\WINDOWS\tasks\ISP signup reminder 2.job
C:\WINDOWS\tasks\ISP signup reminder 3.job
C:\WINDOWS\tasks\McAfee.com Update Check (D8VQYV21-Owner).job
C:\WINDOWS\tasks\McAfee.com Update Check (D__-C___).job
C:\WINDOWS\tasks\McAfee.com Update Check (D__-G___).job
C:\WINDOWS\tasks\McAfee.com Update Check (D__-G___).job
C:\WINDOWS\tasks\McAfee.com Update Check (D__-Y___).job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-06 1:31:58
C:\ComboFix-quarantined-files.txt ... 07-04-06 01:31
C:\ComboFix2.txt ... 06-08-29 21:44

Where it says D__C and other things like that, thats just where I took out my last name and the names of people in my family. :thumbsup:
There was also something called ComboFix-quarantined-files.txt, so I thought Id attach that too..

03-06-02 21:52	  207759	--a------	C:\Qoobox\Quarantine\Program Files\INSTALL.LOG.vir 
07-02-24 21:03	  4323	--a------	C:\Qoobox\Quarantine\WINDOWS\SYSTEM32\info.txt.vir 
07-04-05 17:40	  37918	--a------	C:\Qoobox\Quarantine\WINDOWS\SYSTEM32\tmp4.tmp.dll.vir 
07-04-06 01:31	  220	--a------	C:\Qoobox\Quarantine\Registry_backups\services_cmdService.reg.cf 
07-04-06 01:31	  2572	--a------	C:\Qoobox\Quarantine\Registry_backups\services_Windows Overlay Components.reg.cf 
07-04-06 01:31	  884	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_MCHINJDRV.reg.cf 
07-04-06 01:31	  958	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_WINDOWS_OVERLAY_COMPONENTS.reg.cf 


Folder PATH listing
Volume serial number is 04F6-F4BC
C:\QOOBOX
\---Quarantine
	+---Program Files
	|	   INSTALL.LOG.vir
	|	   
	+---Registry_backups
	|	   LEGACY_MCHINJDRV.reg.cf
	|	   LEGACY_WINDOWS_OVERLAY_COMPONENTS.reg.cf
	|	   services_cmdService.reg.cf
	|	   services_Windows Overlay Components.reg.cf
	|	   
	\---WINDOWS
		\---SYSTEM32
				info.txt.vir
				tmp4.tmp.dll.vir



Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

11/05/2000 02:00 AM 90,112 UpdReg.EXE
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

25/09/2006 02:54 PM 229,952 iTunesHelper.exe
1 File(s) 229,952 bytes

Directory of C:\PROGRA~1\LEXMAR~1\BAK

04/03/2003 08:49 AM 86,100 lxbabmgr.exe
1 File(s) 86,100 bytes

Directory of C:\PROGRA~1\MESSEN~3\BAK

12/05/2006 05:06 PM 190,024 MsgPlus.exe
1 File(s) 190,024 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

24/09/2006 03:24 AM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

04/08/2004 12:56 AM 15,360 ctfmon.exe
14/08/2002 07:22 PM 28,672 DSentry.exe
2 File(s) 44,032 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK

18/03/2003 01:53 PM 200,704 mcagent.exe
04/08/2003 06:25 PM 159,744 McUpdate.exe
2 File(s) 360,448 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\VSO\BAK

21/03/2003 12:50 PM 122,880 mcmnhdlr.exe
21/03/2003 12:52 PM 159,744 mcvsshld.exe
2 File(s) 282,624 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~1\BAK

28/03/2003 06:20 PM 143,360 mm_tray.exe
02/07/2003 01:35 PM 53,248 mmtask.exe
2 File(s) 196,608 bytes

Directory of C:\PROGRA~1\NETASS~1\SMARTB~1\BAK

22/10/2004 04:13 PM 393,216 MotiveSB.exe
1 File(s) 393,216 bytes

Directory of C:\PROGRA~1\REAL\REALPL~1\BAK

02/06/2003 09:49 PM 26,112 RealPlay.exe
1 File(s) 26,112 bytes

Directory of C:\PROGRA~1\CREATIVE\SBLIVE\DIAGNO~1\BAK

03/04/2002 02:01 AM 135,264 diagent.exe
1 File(s) 135,264 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

26/07/2006 03:03 AM 49,263 jusched.exe
1 File(s) 49,263 bytes


17/12/2002 01:28 PM 684,032 DirectCD.exe
1 File(s) 684,032 bytes

Directory of C:\PROGRA~1\VISUAL~1\VISUAL~1\SYMPAT~1\BAK

20/04/2002 08:00 AM 364,544 IPClient.exe
20/04/2002 08:00 AM 102,400 IPMon32.exe
2 File(s) 466,944 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

90112 May 11 2000 "C:\WINDOWS\bak\UpdReg.EXE"
36963 Apr 6 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
229952 Sep 25 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Oct 14 2006 "C:\WINDOWS\Installer\{5878FF02-3B8F-4309-B4E5-0D3DB6F2E8E6}\iTunesIco.exe"
108096 Sep 25 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.1.8\iTunesSetupAdmin.exe"
36963 Apr 6 2007 "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
86100 Mar 4 2003 "C:\Program Files\Lexmark X5100 Series\bak\lxbabmgr.exe"
169096 Jan 19 2005 "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
190024 May 12 2006 "C:\Program Files\MessengerPlus! 3\bak\MsgPlus.exe"
282624 Sep 24 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\bak\ctfmon.exe"
28672 Aug 14 2002 "C:\WINDOWS\SYSTEM32\bak\DSentry.exe"
200704 Mar 18 2003 "C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
159744 Aug 4 2003 "C:\Program Files\McAfee.com\Agent\bak\McUpdate.exe"
122880 Mar 21 2003 "C:\Program Files\McAfee.com\VSO\bak\mcmnhdlr.exe"
159744 Mar 21 2003 "C:\Program Files\McAfee.com\VSO\bak\mcvsshld.exe"
53248 Jul 2 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe"
53248 Jan 17 2006 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mmtask.exe"
143360 Mar 28 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe"
135168 Jan 17 2006 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mm_tray.exe"
393216 Oct 22 2004 "C:\Program Files\NetAssistant\SmartBridge\bak\MotiveSB.exe"
393216 Oct 22 2004 "C:\Program Files\NetAssistant\SmartBridge\Original\MotiveSB.exe"
26112 Jun 2 2003 "C:\Program Files\Real\RealPlayer\bak\RealPlay.exe"
135264 Apr 3 2002 "C:\Program Files\Creative\SBLive\Diagnostics\bak\diagent.exe"
49263 Jul 26 2006 "C:\Program Files\Java\jre1.5.0_08\bin\bak\jusched.exe"
684032 Dec 17 2002 "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe"
364544 Apr 20 2002 "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\bak\IPClient.exe"
102400 Apr 20 2002 "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\bak\IPMon32.exe"


end of report

#8 gossipgirl

gossipgirl
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 06 April 2007 - 12:51 AM

Heres my new hijackthis. :thumbsup:

Logfile of HijackThis v1.99.1
Scan saved at 1:49:15 AM, on 06/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\bak\McUpdate.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...72/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,15/mcgdmgr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CBE2EB50-9EAB-4076-9F69-17C7C8BC3FE8}: NameServer = 67.69.184.235 67.69.184.84
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#9 gossipgirl

gossipgirl
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 06 April 2007 - 01:30 AM

One more thing.. I have no popups anymore (thank God!) but McAfee still doesn't work. I'm not sure if I already said this, but whenever I log on, it says "Application resources could not be loaded successfully. Please reinstall McAfee.com Security Center." It did that before I originally posted here too. :thumbsup: At least the message about opopnk.dll doesnt come up anymore. However, it was briefly doing the same thing with a file called tutuuv.dll, which leads me to believe that I should've/should remove that HijackThis entry that I mentioned before. But the tutuuv.dll thing isnt coming up anymore when I log on so I dont know.. And btw, thanks for your help. I really apreciate it. :flowers:

Edited by gossipgirl, 06 April 2007 - 01:32 AM.


#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:04 AM

Posted 06 April 2007 - 04:24 AM

Hi,

To answer some questions first...

But then I did the HijackThis scan, and first of all, none of them were present except for 020 - AppInit_DLLs: . When I checked this and click fix, the following message came up:

Yes, this is normal when you check and fix an O20 Appinit_dlls entry. This since HijackThis has problems with creating that backup. Don't worry about this error. It's gone after all now.

when I first clicked on Internet Explorer, there was a message saying that IE isn't my default internet browser, and if I want to make it that. Uh.. thats never happened before

Yes, that's what Combofix did. You indeed get that after you run Combofix.

Concerning your McAfee, we'll take a look at that later. The fact is, you were dealing with an infection which copied legit files to a "bak" folder and replaced with a patched/infected copy in the original folder. And this happened with your McAfee as well. Some scanners deleted the infected files from the original folder but legits are not replaced from the bakfolder, which causes a lot of programs not to work anymore, so we have to restore this. Also, some infected ones are still present.

Your HijackThislog looks clean again btw.

Let's deal with the rest now...

* Open notepad and copy and paste next present in the quotebox in it:

copy /y "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\bak\IPMon32.exe" "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer"
copy /y "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\bak\IPClient.exe" "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer"
copy /y "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe" "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD"
copy /y "C:\Program Files\QuickTime\bak\qttask.exe" "C:\Program Files\QuickTime"
copy /y "C:\WINDOWS\bak\UpdReg.EXE" "C:\WINDOWS"
copy /y "C:\Program Files\Creative\SBLive\Diagnostics\bak\diagent.exe" "C:\Program Files\Creative\SBLive\Diagnostics"
copy /y "C:\Program Files\Real\RealPlayer\bak\RealPlay.exe" "C:\Program Files\Real\RealPlayer"
copy /y "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe" "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox"
copy /y "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe" "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox"
copy /y "C:\Program Files\McAfee.com\VSO\bak\mcvsshld.exe" "C:\Program Files\McAfee.com\VSO"
copy /y "C:\Program Files\McAfee.com\VSO\bak\mcmnhdlr.exe" "C:\Program Files\McAfee.com\VSO"
copy /y "C:\Program Files\McAfee.com\Agent\bak\McUpdate.exe" "C:\Program Files\McAfee.com\Agent"
copy /y "C:\Program Files\McAfee.com\Agent\bak\mcagent.exe" "C:\Program Files\McAfee.com\Agent"
copy /y "C:\WINDOWS\SYSTEM32\bak\DSentry.exe" "C:\WINDOWS\SYSTEM32"
if exist "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" del /q "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
copy /y "C:\Program Files\MessengerPlus! 3\bak\MsgPlus.exe" "C:\Program Files\MessengerPlus! 3"
if exist "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe" del /q "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
copy /y "C:\Program Files\Lexmark X5100 Series\bak\lxbabmgr.exe" "C:\Program Files\Lexmark X5100 Series"
if exist "C:\Program Files\iTunes\iTunesHelper.exe" del /q "C:\Program Files\iTunes\iTunesHelper.exe"
copy /y "C:\Program Files\iTunes\bak\iTunesHelper.exe" "C:\Program Files\iTunes"
if exist "C:\Program Files\Java\jre1.5.0_08\bin\bak\jusched.exe" del /q "C:\Program Files\Java\jre1.5.0_08\bin\bak\jusched.exe"
if exist "C:\WINDOWS\wgtdhfq.exe" del /q "C:\WINDOWS\wgtdhfq.exe"
if exist "C:\WINDOWS\huya.exe" del /q "C:\WINDOWS\huya.exe"
if exist "C:\WINDOWS\cqot.exe" del /q "C:\WINDOWS\cqot.exe"

Save this as replace.bat , choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
(In case you are unsure how to create a bat file, take a look here with screenshots.)

* Reboot into Safe Mode: ( without networking support !)
°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode from the menu that will appear and press Enter.

Once in Safe mode, doubleclick replace.bat you created previously. Important step!

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click "Delete".
  • Click "Delete Files", "Delete cookies" and "Delete history"
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Reboot back to normal mode.

* download http://www.mvps.org/winhelp2002/DelDomains.inf and place it on desktop
right click the file and select install, that will reset the zone settings that have been altered

and also

* Download: ResetProtocolDefaults.reg
http://www.mvps.org/winhelp2002/ResetProtocolDefaults.reg

Locate "ResetProtocolDefaults.reg"
Right-click and select: Merge (Ok the prompt)

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u1.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u1".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Rescan with FindAWF and post the log in your next reply together with a new Hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 gossipgirl

gossipgirl
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 06 April 2007 - 09:55 AM

Thanks for clearing that up. :thumbsup: Ok, so I created the replace.bat file fine. But for some reason I clicked on it.. so it opened for a sec and then it closed after all of the files kind of went past. I now know that I wasnt supposed to open it yet. So I deleted the replace.bat, and made another one. Did I mess things up?

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:04 AM

Posted 06 April 2007 - 10:05 AM

Hi,

No, you didn't mess things up, it's just that, in normal mode, some files won't get deleted because they are in use - or replaced properly.
Just perform the rest of my steps and doubleclick on it in Windows Safe mode.

Then post the logs I asked afterwards. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 gossipgirl

gossipgirl
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 06 April 2007 - 01:53 PM

Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

11/05/2000 02:00 AM 90,112 UpdReg.EXE
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

25/09/2006 02:54 PM 229,952 iTunesHelper.exe
1 File(s) 229,952 bytes

Directory of C:\PROGRA~1\LEXMAR~1\BAK

04/03/2003 08:49 AM 86,100 lxbabmgr.exe
1 File(s) 86,100 bytes

Directory of C:\PROGRA~1\MESSEN~3\BAK

12/05/2006 05:06 PM 190,024 MsgPlus.exe
1 File(s) 190,024 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

24/09/2006 03:24 AM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

04/08/2004 12:56 AM 15,360 ctfmon.exe
14/08/2002 07:22 PM 28,672 DSentry.exe
2 File(s) 44,032 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK

18/03/2003 01:53 PM 200,704 mcagent.exe
04/08/2003 06:25 PM 159,744 McUpdate.exe
2 File(s) 360,448 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\VSO\BAK

21/03/2003 12:50 PM 122,880 mcmnhdlr.exe
21/03/2003 12:52 PM 159,744 mcvsshld.exe
2 File(s) 282,624 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~1\BAK

28/03/2003 06:20 PM 143,360 mm_tray.exe
02/07/2003 01:35 PM 53,248 mmtask.exe
2 File(s) 196,608 bytes

Directory of C:\PROGRA~1\NETASS~1\SMARTB~1\BAK

22/10/2004 04:13 PM 393,216 MotiveSB.exe
1 File(s) 393,216 bytes

Directory of C:\PROGRA~1\REAL\REALPL~1\BAK

02/06/2003 09:49 PM 26,112 RealPlay.exe
1 File(s) 26,112 bytes

Directory of C:\PROGRA~1\CREATIVE\SBLIVE\DIAGNO~1\BAK

03/04/2002 02:01 AM 135,264 diagent.exe
1 File(s) 135,264 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

0 File(s) 0 bytes


17/12/2002 01:28 PM 684,032 DirectCD.exe
1 File(s) 684,032 bytes

Directory of C:\PROGRA~1\VISUAL~1\VISUAL~1\SYMPAT~1\BAK

20/04/2002 08:00 AM 364,544 IPClient.exe
20/04/2002 08:00 AM 102,400 IPMon32.exe
2 File(s) 466,944 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

90112 May 11 2000 "C:\WINDOWS\UpdReg.EXE"
90112 May 11 2000 "C:\WINDOWS\bak\UpdReg.EXE"
229952 Sep 25 2006 "C:\Program Files\iTunes\iTunesHelper.exe"
229952 Sep 25 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Oct 14 2006 "C:\WINDOWS\Installer\{5878FF02-3B8F-4309-B4E5-0D3DB6F2E8E6}\iTunesIco.exe"
108096 Sep 25 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.1.8\iTunesSetupAdmin.exe"
86100 Mar 4 2003 "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
86100 Mar 4 2003 "C:\Program Files\Lexmark X5100 Series\bak\lxbabmgr.exe"
190024 May 12 2006 "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
190024 May 12 2006 "C:\Program Files\MessengerPlus! 3\bak\MsgPlus.exe"
282624 Sep 24 2006 "C:\Program Files\QuickTime\qttask.exe"
282624 Sep 24 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\bak\ctfmon.exe"
28672 Aug 14 2002 "C:\WINDOWS\SYSTEM32\DSentry.exe"
28672 Aug 14 2002 "C:\WINDOWS\SYSTEM32\bak\DSentry.exe"
200704 Mar 18 2003 "C:\Program Files\McAfee.com\Agent\mcagent.exe"
200704 Mar 18 2003 "C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
159744 Aug 4 2003 "C:\Program Files\McAfee.com\Agent\McUpdate.exe"
159744 Aug 4 2003 "C:\Program Files\McAfee.com\Agent\bak\McUpdate.exe"
122880 Mar 21 2003 "C:\Program Files\McAfee.com\VSO\mcmnhdlr.exe"
122880 Mar 21 2003 "C:\Program Files\McAfee.com\VSO\bak\mcmnhdlr.exe"
159744 Mar 21 2003 "C:\Program Files\McAfee.com\VSO\mcvsshld.exe"
159744 Mar 21 2003 "C:\Program Files\McAfee.com\VSO\bak\mcvsshld.exe"
53248 Jul 2 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
53248 Jul 2 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe"
53248 Jan 17 2006 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mmtask.exe"
143360 Mar 28 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
143360 Mar 28 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe"
135168 Jan 17 2006 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mm_tray.exe"
393216 Oct 22 2004 "C:\Program Files\NetAssistant\SmartBridge\bak\MotiveSB.exe"
393216 Oct 22 2004 "C:\Program Files\NetAssistant\SmartBridge\Original\MotiveSB.exe"
26112 Jun 2 2003 "C:\Program Files\Real\RealPlayer\RealPlay.exe"
26112 Jun 2 2003 "C:\Program Files\Real\RealPlayer\bak\RealPlay.exe"
135264 Apr 3 2002 "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe"
135264 Apr 3 2002 "C:\Program Files\Creative\SBLive\Diagnostics\bak\diagent.exe"
684032 Dec 17 2002 "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
684032 Dec 17 2002 "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe"
364544 Apr 20 2002 "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe"
364544 Apr 20 2002 "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\bak\IPClient.exe"
102400 Apr 20 2002 "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe"
102400 Apr 20 2002 "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\bak\IPMon32.exe"


end of report


Logfile of HijackThis v1.99.1
Scan saved at 2:50:39 PM, on 06/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...72/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,15/mcgdmgr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CBE2EB50-9EAB-4076-9F69-17C7C8BC3FE8}: NameServer = 67.69.184.235 67.69.184.84
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#14 gossipgirl

gossipgirl
  • Topic Starter

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 06 April 2007 - 02:00 PM

Thanks for all the help. McAfee now works and there's no message whenever anyone logs on!! No popups either. :D

Edited by gossipgirl, 06 April 2007 - 02:01 PM.


#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:04 AM

Posted 06 April 2007 - 02:21 PM

Hi,

Your log looks clean - and it looks like the files are replaced properly.

You may delete next bak folders :

C:\WINDOWS\bak
C:\Program Files\iTunes\bak
C:\Program Files\Lexmark X5100 Series\bak
C:\Program Files\MessengerPlus! 3\bak
C:\Program Files\QuickTime\bak
C:\WINDOWS\SYSTEM32\bak
C:\Program Files\McAfee.com\Agent\bak
C:\Program Files\McAfee.com\VSO\bak
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak
C:\Program Files\NetAssistant\SmartBridge\bak
C:\Program Files\Real\RealPlayer\bak
C:\Program Files\Creative\SBLive\Diagnostics\bak
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\bak

However, you don't really have to delete them, since the files present in there are legit, those were the ones we replaced to their original location afterwards.

Good to hear your McAfee works again also. But that's since we replaced the file from the bak folder back to its original folder.

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users